DHS bulletin delivery mishap causes consternation

Published 4 October 2007

A DHS contractor pushes “Reply All” button and flood government and business mail servers with more than two million messages; personal information compromised

Beware of the “Reply All” function in your e-mail. Someone at DHS pushed the Reply All button on a daily news roundup e-mailed by DHS to some 7,500 people, including thousands of security professionals, flooding government and business mail servers with more than two million messages last Wednesday. The mishap also revealed all subscribers’ e-mail addresses, and in some cases other personal information, to other recipients of the DHS bulletin. Some of that information, including telephone numbers and titles of military personnel and government workers, may have been classified. The New York Times’s Eric Lipton writes that the unintended spam run began when a recipient of the “DHS Daily Open Source Infrastructure Report” hit the Reply All button to transmit an e-mail address change request. Computerworld’s Gregg Keizer reports that by the end of the day, more than two million messages had been generated as recipients also using Reply or Reply All first complained about the spam surge, then added to the flood by mailing off-hand comments, humorous remarks, or demands that people stop sending messages. The mail bouncing back and forth offered an unflattering picture, said Marcus Sachs, the director of the SANS Institute’s Internet Storm Center (ISC). “It revealed a nice cross-section of who subscribes to DHS daily publications and consider themselves part of the defensive security community,” Sachs said in a post to the ISC blog on Thursday. “Most definitely do not have the Jack Bauer (character from the series “24”) mentality of total seriousness and no-joking attitude.” Sachs said that some ISC snooping found the DHS was not using a mail list manager, or listserv, such as the open-source Mailman or the free Majordomo, but instead was transmitting the daily report from an e-mail address on a Lotus Domino Release 7.0.2FP1 server hosted by a government contractor. “Quite likely an e-mail administrator either clicked a box last night, rebuilt the system, migrated it to a new server or did something that un-set a setting designed to prevent this type of event,” Sachs figured. Several list subscribers named Computer Sciences Corp. (CSC) as the contractor.

There was a serious side to the error: All replies were sent to all subscribers, e-mail addresses and other potentially confidential information — details in the sender’s default e-mail signature, for example — were disclosed. ISC’s Sachs points out that “All it takes now is some wise-acre (or a BadGuy) to send a zero-day PDF or Word attachment to the names now available and nail a few dozen gullible security professionals.” Hackers, phishers, and other cyber criminals look for the kind of information which was disclosed by the DHS list since it makes their socially engineered messages and targeted attacks that much more convincing.

If you are still interested in subscribing to the “DHS Daily Open Source Infrastructure Report, you may do so here.